Sprint Revealed GPS Data To Authorities 8 Million Times In The Last Year [Updated]

from the yowzers dept

This seems too insane to be true, but the EFF points us to a report, based on a Freedom of Information Act request, that claims Sprint provided law enforcement with GPS location data a staggering 8 million times in the last year. Sprint apparently set up some sort of portal that made such requests easier, and it sounds like law enforcement took advantage of that in a major way. The report also notes that this information should have been disclosed to Congress, under a 1999 law, but the Justice Department has ignored the law for the past five years. The rest of the report also looks at some other concerning factors, such as the fact that the government seems to regularly get all sorts of info from service providers, with little oversight. On top of that, it explains why so many service providers agree to it: they charge the government for such info, and it's quite lucrative. As such, they actually have the incentive to encourage the government to ask for more information and to deliver it to them as quickly and efficiently as possible. However, you have to wonder how so many requests are being made with such little oversight -- and how often this means the process is abused to spy on individuals with no legal basis. Update: Sprint is now trying to explain this by saying that the numbers represent number of "pings" and that can include thousands of pings per a single investigation. In a single investigation, once law enforcement has a court order, it can check someone's location every 3 minutes for up to 60 days -- and that's what made the number so inflated.

t-o insane?

Wow

That full article is impressive. To all, I'd strongly recommend at least skimming it. Christopher Soghoian makes very few assertions (still makes a few though) without backing them up with links to documents or audio. He often follows what could be taken out of context as a slanderous conjecture with disclaimers such as "That doesn't mean the published stats are necessarily incorrect -- merely that most types of surveillance are not reported."

It's a good read, and if nothing else, plenty of links to damning documents and audio.

outdated privacy laws

A huge part of the problem is the fact that our current privacy laws are completely outdated. Law enforcement agencies can request geolocation data and other private information from companies with little or no court oversight, and the customer is unlikely to ever even know that their information was disclosed.

You can read more about the issue at our Location Information page here: http://tr.im/GkQT.

So let me get this right: The Federal Government mandates, and subsidizes wireless company e911 systems (with taxpayer money) so the Government can spend taxpayer money which allows some overbearing guy keep tabs on his ex and send an alert when she leaves the movie theater?

Please, sign me up for that plan!

And in unrelated news, it was finally discovered why Jerry Springer was suddenly can canceled. Apparently all the regular guests went to work for the Government.

I wonder if Dark Helmet going to create that character I mentioned last week. It would be super awesome.

GPS data is often provided directly as part of a 911 call. It would be VERY interesting to see an actual breakdown of the numbers - out of those 8 million times, how many were part of a criminal investigation, and how many were normal 911 style calls?

I can't help but thinking this is a case of numbers being used to create a scare without actually explaining what those numbers are.

Re:

There's more than just that "8 million GPS" requests being bandied about here, call records and wiretaps have some incredibly interesting trends in reported numbers and requests over the last 10 years. From the linked article:

First, Verizon revealed in its letter that it "receives tens of thousands of requests for customer records, or other customer information from law enforcement."

Assuming a conservative estimate of 20,000 requests per year, Verizon alone receives more requests from law enforcement per year than can be explained by any published surveillance statistics.

Re: Re:

Again, I think there is a situation here where different parties may be calling things by different names, and ending up making it look like a bigger pile of stuff than it really is.

Requesting customer records isn't always part of "surveillance". It could be part of a criminal investigation (such as to find out the name / address of a dead person), or to track back a phone number used in a Craigslist pimping ad. Because there is no indication, no breakdown, no way to tell if we are talking apples to apples comparisions, it's just a golly gee shit number that means little.

It's intended to scare, and Mike linking and talking about it is just helping to share the scare, without actually looking at what the numbers really are.

Re: Re: Re:

Nice Strawman.

Apparently you didn't read the article.

This is broken down in the article and accompanying audio. The point is that these days, it don't even need it to be a part of a criminal investigation, as evidenced by completely automating GPS tracking causing 8M "hits within a few months" according to SprintNextel Reps.

When you go from zero to 8M in a few months, how can you believe there isn't potential for abuse?

Plus, what you see is that telecoms are in bed with the government, a complete 180 from the 1970s where Personal Information was well protected from prying through subpoenas, and due process. Partially because of Watergate.

Re: Re: Re:

A valid point, and one not raised in Mike's opinion nor the original article as you've correctly pointed out, but if you're implying there's nothing to be concerned about here I think you also making a lapse in judgement that could cause more harm than good.

One of the other main points brought up by Soghoian is the downward trend in reported electronic surveillance requests. It's highly suspect that that is the case, or if it is, it's hiding what's really going on. Even if electronic surveillance hasn't skyrocketed, we just don't know because the true picture isn't shown by the reported numbers.

Re: Re: Re: Re:

Again, you guys aren't thinking about what these requests could be, and certainly not related to any surveillance.

Example, a person is missing. Check the GPS database to see if their phone is on somewhere. That might be a place to start. A guy claims he "didn't do it" (whatever it was) and says he was in Jersey at the time. A quick check of the database shows his phone was in fact in jersey at the time. Hmm! In those cases, example, I wouldn't expect to see an electronic surveillance notice issued, would you?

I looked at the original article, but I didn't lose my life listening to an audio for a story that reads more like guys with defective tinfoil hats more than anything else.

Re: Re: Re: Re: Re:

I hear what you're saying, there's definitely just cause for an ISP saying we get X requests, and that number being significantly higher than the Y requests that are reported by enforcement, not least of which the examples you cite and the update from sprint in Mike's summary. My concern is the lack of transparency shown by the downward trend in Y requests, and in the clear lack of transparency on what those X requests are as evidenced by the tooth and nail fighting to even get hints at what those numbers are.

We don't know, you may be right, but there are things to be concerned about here.

Re: Re: Re: Re: Re: Re:

Well, here is an example: in the past, to get phone records might have automatically triggered as "Y" report. But now with the direct position information system, maybe less phone records are being pulled and more direct location infomation is being looked at, that isn't a "Y" request.

It isn't clear that the GPS data is being used for surveillance, but possibly for many other uses not related to specifically watching a suspect or the equivalent of a wiretap or similar. perhaps that goes in the "Z" pile that isn't being reported or included here.

Stories like this always seem to end up wrapped in tin foil. To me it reads like scare mongering.

Re: Re: Re: Re: Re: Re: Re:

It isn't clear that the GPS data is being used for surveillance, but possibly for many other uses not related to specifically watching a suspect or the equivalent of a wiretap or similar. perhaps that goes in the "Z" pile that isn't being reported or included here.

And the fact that only Sprint and the Justice Department know what is actually going on doesn't concern you at all?

Re: Re: Re: Re: Re:

The article mainly focuses on DPI, and potential for CALEA abuse. GPS is only one small part of the article, but it showcases the big legal gap between carriers and law enforcement.

Mainly, it's a bunch of Telecom Execs trying to substantiate their jobs, and continue to live within the bounds of the "Massive and illegal program" to wiretap and data-mine Americans' communications, in a post 9-11 era, including potential monetization of customer data and customer information.

Just like you are doing. It's fine that you're willing to give up your liberty. If you think it's worth coupons, have at it.

Re: Re: Re: Re: Re:

"In those cases, example, I wouldn't expect to see an electronic surveillance notice issued, would you?"

Yes, I would, actually.

Law enforcement powers to directly access our records is such a strong, blunt instrument that I would expect that a notice is issued each and every time they are used, whether part of a criminal investigation or not.

It isn't tin-foil-hat stuff to point out that law enforcement has a long and rich history of abusing the powers granted to it, and thus it's wise to continually scrutinize every application of those powers to prevent further abuse. Given that the trend over the past few decades has been to expand their powers significantly, I expect that oversight would expand in proportion.

Re: Per subscriber...

The Update

Update: Sprint is now trying to explain this by saying that the numbers represent number of "pings" and that can include thousands of pings per a single investigation. In a single investigation, once law enforcement has a court order, it can check someone's location every 3 minutes for up to 60 days -- and that's what made the number so inflated.

A few words different and there would have been no attitude. Even if you really feel the need to make it clear that you doubt Sprint's response, there's no need to put it in those exact words. "Sprint is now trying to explain this" could be easily written as "Sprint has responded". Things like this only serve as fodder for your critics. I'm by no means saying I'm above this, but I hold your writing to a higher standard because of your greater visibility and the editing resources you (should) have. A few choice wording differences could really raise the level of professionalism without detracting from the voice of your opinions.

Re: Re: The Update

I think you run with stories like this to get the old "moral outrage" vibe going without worrying about the facts.

The guys with the tin foil hats that wrote the original story now look like fools, because they failed to get all of the information before going off on a rant. You look like a fool because you took their word for it.

Regardless of the total number of request, the one significant datapoint that is missing is the number of arrests and convictions that were specifically related to the wiretaps, GPS requests, or other similar "wiretap" request.

The spokesman wouldn’t disclose how many of Sprint’s 48 million customers had their GPS data shared, or indicate the number of unique surveillance requests from law enforcement.

Ok, so how many is it? Sprint is only saying that it *could* be less that the 8 million, not that it *is* by any specific amount. If they're hiding the numbers, who's to say it isn't nearly 8 million customers?

Anonymous Coward

Whose side are you on? Why should we believe the postings of someone who is so afraid of big government he/she cannot put his/her name to the posting? Sorry, either side you take, you have no credibility with me. I have read the article and my conclusion is Sprint has handed out as much information the government was willing to pay for without a concern of customer's privacy. It sounds like the only privacy someone can have is to power down their phone and remove their batteries, otherwise Sprint will happily give your GPS location (for starters) to any Joe Friday running a Dragnet.

Anonymous Coward

Whose side are you on? Why should we believe the postings of someone who is so afraid of big government he/she cannot put his/her name to the posting? Sorry, either side you take, you have no credibility with me. I have read the article and my conclusion is Sprint has handed out as much information the government was willing to pay for without a concern of customer's privacy. It sounds like the only privacy someone can have is to power down their phone and remove their batteries, otherwise Sprint will happily give your GPS location (for starters) to any Joe Friday running a Dragnet.

Re: numbers

But most importantly, the real number isn't 8 million individuals, but rather a number between 277.77 and 8 million, likely much closer to the low number than the high number. That in turn blows out all of the concern about there being less surveillance reported, as this number isn't anywhere near as high as they thought it was.

Sensationalist Reporting - Not News

Info a responsible reporter obtained:

There are four circumstances under which law enforcement agents can use the Sprint website and obtain GPS data: 1) under the authority of a court order; 2) to track the location of a customer who has made a 911 call; 3) in an emergency situation, such as tracking someone lost in the wilderness or trying to locate an abducted child or hostage; 4) with a customer’s consent.

Re: Sensationalist Reporting - Not News

There are four circumstances under which law enforcement agents are legally permitted to use the Sprint website and obtain GPS data:

There, fixed that for you. Personally, I am not at all convinced those are the only situations in which they're actually using the data, especially since they are apparently ignoring the requirement to report to Congress. Executive power with no oversight? What could go wrong??

Re: Re: Sensationalist Reporting - Not News

Re: Re: Sensationalist Reporting - Not News

since they are apparently ignoring the requirement to report to Congress

Unproven by the story presented. Since we don't know how many of those 8 million requests were on the same number / phone, we don't know how many INDIVIDUAL numbers were checked. Therefore, there is no way to match up the requests to any reporting that needs to be done.

You are drawing a conclusion where there is not conclusive evidence, just the tin foil hat dudes ranting, and they have already been shown to be wrong on at least part of the story.

Re: Re: Re: Sensationalist Reporting - Not News

I really hope most of you aside from this AC looked at the article and not just Mike's rant on one item brought up in it.

(1) Nothing reported in the article was shown to be wrong, but we did get slightly more details on ONE of the numbers mentioned, which if nothing else, is a net positive from bringing all this up. Sprint responding and giving information is a good thing, and helps support the merits and intent of the article.

(2) There were several other gaps aside from the "8 million" pointed out in the article itself. Such as: First, Verizon revealed in its letter that it "receives tens of thousands of requests for customer records, or other customer information from law enforcement."

Assuming a conservative estimate of 20,000 requests per year, Verizon alone receives more requests from law enforcement per year than can be explained by any published surveillance statistics.